240b026248c68f088497aae4ac056ae6e027035bb05bfae54d69c4a2f6d634d4

Analysis

max time kernel
3s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69bce3b843a56becf6fa039d16b8abc1.exe
Size

98KB
MD5

69bce3b843a56becf6fa039d16b8abc1
SHA1

9ecf36d0cca50e3f5653f99a2a6cc0ed784aa468
SHA256

240b026248c68f088497aae4ac056ae6e027035bb05bfae54d69c4a2f6d634d4
SHA512

e97062d8a9f8d48db863b3a6c7c319e8b6c67290f6f4a716ef6d272e9b91fe55788ac0c01ddc551c23c91eee58cf937b836a3e742ee63e9538a2a469df6cfab5
SSDEEP

1536:1QpQ5EP0ijnRTXJn7NeYRNgKJ+BCy+CWSCZfdI39kHnXwID44UDyS/U8Q:1QIURTXJZeqgKJ+BCNCWxZWNGn4jQ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2824	downloadmr.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	69bce3b843a56becf6fa039d16b8abc1.exe
3044	69bce3b843a56becf6fa039d16b8abc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2824	3044	69bce3b843a56becf6fa039d16b8abc1.exe	15
PID 3044 wrote to memory of 2824	3044	69bce3b843a56becf6fa039d16b8abc1.exe	15
PID 3044 wrote to memory of 2824	3044	69bce3b843a56becf6fa039d16b8abc1.exe	15
PID 3044 wrote to memory of 2824	3044	69bce3b843a56becf6fa039d16b8abc1.exe	15

C:\Users\Admin\AppData\Local\Temp\69bce3b843a56becf6fa039d16b8abc1.exe
"C:\Users\Admin\AppData\Local\Temp\69bce3b843a56becf6fa039d16b8abc1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\nsd225.tmp\downloadmr.exe
  C:\Users\Admin\AppData\Local\Temp\nsd225.tmp\downloadmr.exe /es129312
  2⤵
  - Executes dropped EXE
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsd225.tmp\downloadmr.exe

Filesize
88KB

MD5
c20412a0c9d47656f9f97aa5cb7812cb

SHA1
8b55384408e93184b098559084a7746e1ab77036

SHA256
ef757b82a1db0330051d6e16468ad1e906bff88e29d919f3939742a98da87c8d

SHA512
6630ecb5bec345ac08c989d5bfaa2d718ebf89adddae34dcd4e0353668f8aff0f3d068b7bad5117a631420c8a32ebccfe9f228dd8e4b2561cbe9e947e23fbef0

Download Submit
memory/2824-10-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-17-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2824-72-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2824-71-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2824-73-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download
memory/2824-74-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/2824-75-0x0000000002200000-0x0000000002240000-memory.dmp

Filesize
256KB

Download